A phishing attack on Aurora Medical Center-Bay Area in Marinette, WI on January 1, 2020 resulted in the exposure of some protected health information (PHI) of 27,137 patients.

A number of Aurora Medical Center employees responded to phishing email messages and gave away their email account information. Hence, the attackers got access to their email accounts. The medical center discovered the breach on January 9, 2020 and made a password reset immediately to stop further unauthorized account access, then reported the security breach to law enforcement.

Aurora Medical Center launched an internal investigation to find out which information the attackers accessed. The investigation revealed that the email messages and attachments in the compromised email accounts contained the PHI of patients. However, there was no report received that indicate the misuse of any patient data. Still, the possibility of data theft cannot be ruled out.

An analysis of the email messages in the accounts showed that they included a variety of PHI. The data differed from one patient to another and possibly included first, last and maiden names, date of birth, marital status, physical address, email address, phone number, passport number, Social Security number, driver’s license number, Medical record number, medical device number, bank account number, medical insurance account number, a photograph of full face, treatment date, admission and discharge date.

UPMC Altoona learned that an unauthorized person has accessed the email account of one physician and possibly viewed or acquired the PHI of a number of patients. The medical center detected the phishing attack on February 13, 2020, soon after the compromise of the email account.

The attacker sent other phishing emails using the account. The investigators did not find any evidence of any data theft, however, it’s possible there was unauthorized PHI access.

A forensic investigation confirmed that the email account held patient data including demographic data and limited clinical data. There was no Social Security number, financial data, or medical insurance data exposed.

UPMC Altoona sent notification letters to the affected persons on April 10, 2020. According to the Office for Civil Rights breach portal summary of reports, the phishing attack affected 13,911 patients.